These approaches take into account threats against a software application. Threats are risks of security exploits. For example, threats exist against software applications using the network interface because someone can intercept data sent and received over the network interface. Threat-based approaches therefore use an external perspective, because the threats are external to the software application. Assessing the security of an application involves identifying threats and testing whether they can be realized. • Vulnerability-based approaches: These approaches take into account the vulnerabilities present in the software application. Vulnerability is defined as a system state. What differentiates a vulnerable state from any other state is the fact that it is possible to move from this state to an incorrect system state [BISH96b]. In other words, vulnerability is a flaw that, when exploited, can produce undesired or incorrect behavior. Vulnerability-based approaches therefore use an internal perspective to assess security, because vulnerabilities are internal to the software application. Software applications are attacked by exploiting the vulnerabilities present in them. Therefore, security assessment can be carried out by identifying the vulnerabilities present in the software application. It is important to note the difference between a vulnerability and an exploit. An exploit consists of a vulnerability present in the software application and a method used to take advantage of this vulnerability. So, an exploit occurs when a method is applied to exert the vulnerability. For example, the buffer overflow exploit consists of a vulnerability that is an unlimited buffer; the method used to exert this vulnerability involves storing data larger than the middle of paper......the security of the software as well as its attributes. Some techniques for providing such assurances have been developed in the past, but no single technique has provided a complete solution to the problem. Thus, this thesis will explore the effectiveness of combining two of these techniques into a single tool. The broader goal of this research is to improve the available methods and the software testing lifecycle. Currently, there are a number of fads in software development, each with their own buzzwords like "extreme" and "agile." Each of these modes comes with its own testing methodology. However, the majority of them are aimed at ensuring that a system does everything it is supposed to do, that it is complete. There are few tools available to ensure that a system is free from excessive functionality. The goal of this research is to provide a tool that accomplishes both.